Are Data Breaches aReal Concern?Protecting Your

Sensitive Information

Phillips Auction House NY-03/24/2015

1

Agenda

• Current Data Breach Issues & Legal Implications

• Data Breach Case Study

• Risk Management & Avoidance

2

Speakers

• Jay Brodsky-– Managing Director, Executive Risk Practice, DeWitt Stern

• John Mullen-– Chair, Data Security & Network Security Practice, Lewis, Brisbois,

Bisgaard, & Smith LLP

• Mark Greisiger-– CEO, NetDiligence

• Vinny Sakore, CIPP/IT-• Assistant HIPAA Security Officer, Verizon

3

Current Data Breach Landscape

4

• Business shift:

– “Bricks and Mortar” to “Clicks andOrders”

• Supply of cyber-attack tools andstolen personal, credit card, andaccount information is way up; costis down

• High profile breaches up (Anthem,Sony, Target, Neiman Marcus, HomeDepot, etc.)

• Rising tensions between U.S. andother nations such as Russia andIran increasing risk of retaliatorycyber attacks towards U.S. interests

Popular Attack Methods

5

• Botnets (collection of compromised computers; a zombie army)

• Distributed Denial of Service or DDoS (disruptive attack)

• Advanced Persistent Threats (network breach and data exfiltration)

• Malware (SQLi, Trojans, key loggers, fake popups, MitB/ATOs)

• Social Engineering (phone cons/phishing emails, scams, and sites)

• Ransomware (locked out of system, must pay fee to regainaccess)

• Internal Threats (poor data mgmt., system design, andhiring/training)

Legal Landscape

•State laws (statute and common law)

•Federal laws/regulations- HIPAA, SOX, GLB/Red Flags, etc.

•PCI

•International

Duties Imposed By…

Require firms that conduct business in state to notify resident consumers of securitybreaches of unencrypted computerized personal information

Many require notification of state attorney general, state consumer protectionagencies, and credit monitoring agencies

Notice due “without unreasonable delay”

Some states allow private right of action for violations

State level breach notice: 47states (plus Puerto Rico,Wash. D.C., Virgin Islands)require notice to customersafter unauthorized access toPII/PHI.

State Regulatory Exposures

• HIPAA - set of national standards to protectPHI that is created, received, used, ormaintained

• Applies to “covered entities” and“business associates”

• When a data security incident occurs, a“breach” is presumed:unauthorized access

• May require notice to the media, to HHS,and the patients within 60 days

• Other – Gramm Leach Bliley, SarbanesOxley, FACTA

Federal Regulatory Exposures

Payment Card Industry (PCI)

• Payment Card Industry Security Standards Council (Visa, Mastercard,AmEx, Discover, JCB International)

• Requires merchants and service providers to abide by certainprotocols to protect customers’ credit card information

• Payment brands may fine acquiring bank $5,000 to $100,000/monthfor non-compliance. Banks often pass this fine on to merchant.

• Violations of PCI DSS have multiple consequences

• Impact on standard of care – industry investigations, outside lawsuits

• Small minority of states have incorporated PCI-DSS requirements intodata protection laws

Stollenwerk v. Tri West – assert actual identity theft

Krottner v. Starbucks Corp. – increased risk of identity theft constitutes an injury-in-fact

Anderson v. Hannaford – alleged fraud in population and money spent in mitigation effortssufficient (instead of time/effort)

Resnick v. AvMed – 11th Cir. – Similar to Anderson; also, unjust enrichment claims areviable for failure to keep promise to protect information following this decision

----------------------------------------------------------------------------------------------------------------------

In re Hannaford Bros. Data Security Breach Litigation – does time equal money? No.But fraud plus purchase of credit monitoring may equal standing.

ChoicePoint Data Breach Settlement – FTC paid for “time they may have spentmonitoring their credit or taking other steps in response”

Target Class Action – Judge denies Target’s motion for dismissal, holding thatBanks established plausible allegation that failure to detect intrusioncaused the financial institutions harm

Litigation Trends - Defense Eroding

Case Study # 1

• An employee traveling on business loses anunencrypted laptop with data on approximately 10,000clients and/or employees-– Your business deals with both individuals and corporations as your

clients

– There is a mix of corporate information, that your business has acontractual obligation to keep confidential, and sensitive personalinformation

– You transact business with clients in numerous different states

– The employee who lost the laptop does not notify IT for three days,hoping that he/she will be able to locate the device

11

Case Study # 2

• Vendor used to process credit card transactions ishacked-– Your clients’ credit card information is in the custody of the vendor

– Your contract with the vendor limits their liability to the value of yourcontract

– You transact business with clients in numerous different states

12

Net Diligence Study - Based on 140 Claims Reported to 15 Different Insurance Carriers

PII was the most frequently exposed data (41% ofbreaches), followed by PHI (21%) and PCI (19%).

Hackers were the most frequent cause of loss (29%),followed by Staff Mistakes (13%).

Healthcare was the sector most frequentlybreached (23%), followed closely byFinancial Services (22%).

Average claim $733K (median $144k)

Large Co = $2.9 mil

Medium = $688k

Small = $664k

*Target insurance claim payout ~$44M*

Per Record Costs

Average per-record cost*** $956 (up, 2013 was $307)

Average records lost 2.4 million (Median records lost: 3.5K)

Crisis Services Costs (forensics, legal counsel, notification & credit monitoring)

Average cost of crisis services $366k (down, $737 in 2013)

Median cost of crisis services $110K

Legal Costs (defense & settlement)

Average cost of defense $698K (up, $575K in 2013)

Average cost of settlement $558K ( up, $258k in 2013)

Net Diligence Study - Based on 140 Claims Reported to 15 Different Insurance Carriers

PROBLEM 1) IDS or ‘Intrusion Detection Software’ (Bad guy alert system) Studies show that 70% of actual breach events are NOT detected by the victim-company, but by 3rd parties (and many more go

undetected completely).

FTC and plaintiff lawyers often cite ‘failure to detect’

PROBLEM 2) Encryption (of private data)

Identity Theft Resource Center: Only 2.4% of all breaches had ‘encryption’

Issues: Budgets, complexities and partner systems

Key soft spots: data ‘at rest’ ...in database & laptops (lesser extent)

Benefits: Safe harbor (usually)

4 COMMON WEAK SPOTS

PROBLEM 3) Patch Management– Challenges:

All systems need constant care (patching) to keep bad guys out.

Lack of time: Gartner Group estimates that “IT Managers spend an average of 2 hours perday managing patches.”

• SIEM (security information & event mgmt): central ‘brain’ that can synthesize raw security data feeds, this includes:• aggregate data from many internal company servers, databases• real-time monitoring, correlation of events, notifications

• Post breach – importance of SIEM: the computer forensics investigation takes much longer and cost greatly increase withoutSIEM.

Problem 4). NO Centralized Security Event Logs

• Perform a Cyber Risk Assessment

– Include any 3rd party dependencies (contractors, clouds etc)

– map your sensitive client data assets

– Review privacy with security (e.g. wrongful data collection exposure)

• Establish an internal ‘working group’ of senior execs to acclimate to a future data breach crisis

• Develop and operationalize an Incident Response Plan

– Leverage eRisk Hub® to bolster IRP... Self-help with outside experts

– Tiger Team experts

o Breach Coach (legal expert)

o Computer Forensics (triage and establish the facts who, what, when, where & how)

o Notification & call ctr

o Credit & ID Monitoring

o PR

• Conduct training on a regular basis to all employees and vendors

• Review insurance coverage for gaps

Preparedness Tips

16

Risk Transfer

17

Retention Each Claim – from $5,000 to $1M

Security &Privacy Liability

Often includes aRegulatory Action

Sublimit

Media ContentLiability

NetworkInterruption

CyberExtortion

&/or

CyberTerrorism

DataRestoration

EventManagement

Expenses

Third Party Coverages(Negligence)

First Party Coverages(Costs)

Insurance Marketplace

18

ACE Endurance

AIG Hartford

Allied World Liberty

Axis Lloyd’s of London

Beazley Philadelphia

CNA XL

CFC Zurich

Chubb There are approximately 30 otherinsurers who offer some modicumof coverage

Not All Policies Created Equal

• Coverage purporting to be Cyber Liability– Sublimits offered on other policies such as Property, General Liability,

Package Policies, and Errors & Omissions policies

• Not all stand alone Cyber Liability policies are createdequal– Who is the insurer?

– Limits being offered for first party expenses

• Breach of Contract Exclusion

• Hammer Clause

• PCI Fines & Penalties Coverage

• Unencrypted Mobile Device Exclusions

• Claims Handling19

Questions &Thank You

20